From ff648192d90726353c5a037c97a87511076726fa Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Thu, 24 Feb 2022 16:31:44 +0000
Subject: [PATCH] Block crash_dump from no_crash_dump_domain

These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.

Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
---
 microdroid/system/private/crash_dump.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index a636e9c4f..61dfa0b7d 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -57,6 +57,7 @@ allow crash_dump {
   -init
   -kernel
   -logd
+  -no_crash_dump_domain
   -ueventd
   -vendor_init
 }:process { ptrace signal sigchld sigstop sigkill };
@@ -67,3 +68,5 @@ userdebug_or_eng(`
     logd
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;